[#QB-4246] Users can trigger builds via promotion without proper permissions

<< Back to previous view

[QB-4246] Users can trigger builds via promotion without proper permissions Created: 11/Mar/26 Updated: 11/Mar/26
Status:	Open
Project:	QuickBuild
Component/s:	None
Affects Version/s:	16.0.0
Fix Version/s:	None

Type:

Bug

Priority:

Major

Reporter:

Nguyen Danh Hung

Assigned To:

Robin Shen

Resolution:

Unresolved

Votes:

Remaining Estimate:

Unknown

Time Spent:

Unknown

Original Estimate:

Unknown

Description

Hello Mr. Robin Shen,
There is an issue when user can trigger build without RUN_BUILD permission:

- 2 configurations: CONF_1, CONF_2
- User only has PROMOTE_BUILD permisison in CONF_1
- User used rest api to request build in CONF_2:
+ Case 1 - Without promotionSource in xml: Build cannot start
+ Case 2 - With promotionSource includes a buildId in CONF_1 in xml: A build started in CONF_2

Please help to investigata case 2

Generated at Fri Mar 20 04:50:16 UTC 2026 using JIRA 189.

[QB-4246] Users can trigger builds via promotion without proper permissions Created: 11/Mar/26 Updated: 11/Mar/26

[QB-4246] Users can trigger builds via promotion without proper permissions
Created: 11/Mar/26 Updated: 11/Mar/26